Navigate

AC-3

AC-3: Access Enforcement

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Supplemental

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
CMMC, DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
PR.AC-4, PR.PT-3

Related Controls

The controls below (if any) were marked by NIST as being related to AC-3.

Control	Description
AC-2	a: Define and document the types of accounts allowed and specifically prohibited for use within the system; b: Assign account managers; c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership; d: Specify: 1: Authorized users of the system; 2: Group and role membership; and 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account; e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts; f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;]; g: Monitor the use of accounts; h: Notify account managers and [personnel or roles to be notified is/are defined;] within: 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required; 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual; i: Authorize access to the system based on: 1: A valid access authorization; 2: Intended system usage; and 3: [attributes needed to authorize system access (as required) are defined;]; j: Review accounts for compliance with account management requirements [the frequency of account review is defined;]; k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l: Align account management processes with personnel termination and transfer processes.
AC-4	Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [information flow control policies within the system and between connected systems are defined;].
AC-5	a: Identify and document [duties of individuals requiring separation are defined;] ; and b: Define system access authorizations to support separation of duties.
AC-6	Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
AC-16	a: Provide the means to associate [one of ] with [one of ] for information in storage, in process, and/or in transmission; b: Ensure that the attribute associations are made and retained with the information; c: Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for [one of ]: [one of ]; d: Determine the following permitted attribute values or ranges for each of the established attributes: [attribute values or ranges for established attributes are defined;]; e: Audit changes to attributes; and f: Review [one of ] for applicability [one of ].
AC-17	a: Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b: Authorize each type of remote access to the system prior to allowing such connections.
AC-18	a: Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b: Authorize each type of wireless access to the system prior to allowing such connections.
AC-19	a: Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b: Authorize the connection of mobile devices to organizational systems.
AC-20	a: [one or more of "establish {{ insert: param, ac-20_odp.02 }} "/"identify {{ insert: param, ac-20_odp.03 }} "] , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1: Access the system from external systems; and 2: Process, store, or transmit organization-controlled information using external systems; or b: Prohibit the use of [types of external systems prohibited from use are defined;].
AC-21	a: Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;] ; and b: Employ [automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;] to assist users in making information sharing and collaboration decisions.
AC-22	a: Designate individuals authorized to make information publicly accessible; b: Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c: Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d: Review the content on the publicly accessible system for nonpublic information [the frequency at which to review the content on the publicly accessible system for non-public information is defined;] and remove such information, if discovered.
AC-24	[one or more of "establish procedures"/"implement mechanisms"] to ensure [access control decisions applied to each access request prior to access enforcement are defined;] are applied to each access request prior to access enforcement.
AC-25	Implement a reference monitor for [access control policies for which a reference monitor is implemented are defined;] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
AT-2	a: Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1: As part of initial training for new users and [one of ] thereafter; and 2: When required by system changes or following [one of ]; b: Employ the following techniques to increase the security and privacy awareness of system users [techniques to be employed to increase the security and privacy awareness of system users are defined;]; c: Update literacy training and awareness content [the frequency at which to update literacy training and awareness content is defined;] and following [events that would require literacy training and awareness content to be updated are defined;] ; and d: Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
AT-3	a: Provide role-based security and privacy training to personnel with the following roles and responsibilities: [one of ]: 1: Before authorizing access to the system, information, or performing assigned duties, and [the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;] thereafter; and 2: When required by system changes; b: Update role-based training content [the frequency at which to update role-based training content is defined;] and following [events that require role-based training content to be updated are defined;] ; and c: Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
AU-9	a: Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b: Alert [personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;] upon detection of unauthorized access, modification, or deletion of audit information.
CA-9	a: Authorize internal connections of [system components or classes of components requiring internal connections to the system are defined;] to the system; b: Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c: Terminate internal system connections after [conditions requiring termination of internal connections are defined;] ; and d: Review [frequency at which to review the continued need for each internal connection is defined;] the continued need for each internal connection.
CM-5	Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
CM-11	a: Establish [policies governing the installation of software by users are defined;] governing the installation of software by users; b: Enforce software installation policies through the following methods: [methods used to enforce software installation policies are defined;] ; and c: Monitor policy compliance [frequency with which to monitor compliance is defined;].
IA-2	Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
IA-5	Manage system authenticators by: a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b: Establishing initial authenticator content for any authenticators issued by the organization; c: Ensuring that authenticators have sufficient strength of mechanism for their intended use; d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e: Changing default authenticators prior to first use; f: Changing or refreshing authenticators [a time period for changing or refreshing authenticators by authenticator type is defined;] or when [events that trigger the change or refreshment of authenticators are defined;] occur; g: Protecting authenticator content from unauthorized disclosure and modification; h: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i: Changing authenticators for group or role accounts when membership to those accounts changes.
IA-6	Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
IA-7	Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
IA-11	Require users to re-authenticate when [circumstances or situations requiring re-authentication are defined;].
IA-13	Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with [identification and authentication policy is defined;] using [mechanisms supporting authentication and authorization decisions are defined;].
MA-3	a: Approve, control, and monitor the use of system maintenance tools; and b: Review previously approved system maintenance tools [frequency at which to review previously approved system maintenance tools is defined;].
MA-4	a: Approve and monitor nonlocal maintenance and diagnostic activities; b: Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c: Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d: Maintain records for nonlocal maintenance and diagnostic activities; and e: Terminate session and network connections when nonlocal maintenance is completed.
MA-5	a: Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; b: Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and c: Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
MP-4	a: Physically control and securely store [one of ] within [one of ] ; and b: Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
PM-2	Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
PS-3	a: Screen individuals prior to authorizing access to the system; and b: Rescreen individuals in accordance with [one of ].
PT-2	a: Determine and document the [the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;] that permits the [the type of processing of personally identifiable information is defined;] of personally identifiable information; and b: Restrict the [the type of processing of personally identifiable information to be restricted is defined;] of personally identifiable information to only that which is authorized.
PT-3	a: Identify and document the [the purpose(s) for processing personally identifiable information is/are defined;] for processing personally identifiable information; b: Describe the purpose(s) in the public privacy notices and policies of the organization; c: Restrict the [the processing of personally identifiable information to be restricted is defined;] of personally identifiable information to only that which is compatible with the identified purpose(s); and d: Monitor changes in processing personally identifiable information and implement [mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;] to ensure that any changes are made in accordance with [requirements for changing the processing of personally identifiable information are defined;].
SA-17	Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: a: Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture; b: Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and c: Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.
SC-2	Separate user functionality, including user interface services, from system management functionality.
SC-3	Isolate security functions from nonsecurity functions.
SC-4	Prevent unauthorized and unintended information transfer via shared system resources.
SC-12	Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [requirements for key generation, distribution, storage, access, and destruction are defined;].
SC-13	a: Determine the [cryptographic uses are defined;] ; and b: Implement the following types of cryptography required for each specified cryptographic use: [types of cryptography for each specified cryptographic use are defined;].
SC-28	Protect the [one or more of "confidentiality"/"integrity"] of the following information at rest: [information at rest requiring protection is defined;].
SC-31	a: Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [one or more of "storage"/"timing"] channels; and b: Estimate the maximum bandwidth of those channels.
SC-34	For [system components for which the operating environment and applications are to be loaded and executed from hardware-enforced, read-only media are defined;] , load and execute: a: The operating environment from hardware-enforced, read-only media; and b: The following applications from hardware-enforced, read-only media: [applications to be loaded and executed from hardware-enforced, read-only media are defined;].
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].
SI-8	a: Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and b: Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

Enhancements

The controls below (if any) add on to the requirements of AC-3.

Control	Description
AC-3(1)
AC-3(2)	Enforce dual authorization for [privileged commands and/or other actions requiring dual authorization are defined;].
AC-3(3)	Enforce [one of ] over the set of covered subjects and objects specified in the policy, and where the policy: (a): Is uniformly enforced across the covered subjects and objects within the system; (b): Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1): Passing the information to unauthorized subjects or objects; (2): Granting its privileges to other subjects; (3): Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4): Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5): Changing the rules governing access control; and (c): Specifies that [subjects to be explicitly granted privileges are defined;] may explicitly be granted [privileges to be explicitly granted to subjects are defined;] such that they are not limited by any defined subset (or all) of the above constraints.
AC-3(4)	Enforce [one of ] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a): Pass the information to any other subjects or objects; (b): Grant its privileges to other subjects; (c): Change security attributes on subjects, objects, the system, or the system’s components; (d): Choose the security attributes to be associated with newly created or revised objects; or (e): Change the rules governing access control.
AC-3(5)	Prevent access to [security-relevant information to which access is prevented except during secure, non-operable system states is defined;] except during secure, non-operable system states.
AC-3(6)
AC-3(7)	Enforce a role-based access control policy over defined subjects and objects and control access based upon [one of ].
AC-3(8)	Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [rules governing the timing of revocations of access authorizations are defined;].
AC-3(9)	Release information outside of the system only if: (a): The receiving [the outside system or system component to which to release information is defined;] provides [controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined;] ; and (b): [controls used to validate appropriateness of information to be released are defined;] are used to validate the appropriateness of the information designated for release.
AC-3(10)	Employ an audited override of automated access control mechanisms under [conditions under which to employ an audited override of automated access control mechanisms are defined;] by [roles allowed to employ an audited override of automated access control mechanisms are defined;].
AC-3(11)	Restrict access to data repositories containing [information types requiring restricted access to data repositories are defined;].
AC-3(12)	(a): Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [system applications and functions requiring access assertion are defined;]; (b): Provide an enforcement mechanism to prevent unauthorized access; and (c): Approve access changes after initial installation of the application.
AC-3(13)	Enforce attribute-based access control policy over defined subjects and objects and control access based upon [attributes to assume access permissions are defined;].
AC-3(14)	Provide [mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;] to enable individuals to have access to the following elements of their personally identifiable information: [elements of personally identifiable information to which individuals have access are defined;].
AC-3(15)	(a): Enforce [one of ] over the set of covered subjects and objects specified in the policy; and (b): Enforce [one of ] over the set of covered subjects and objects specified in the policy.

Related CCIs

The CCIs below are tied to AC-3.

CCI	Definition
CCI-000213	Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.